Overview

overview

10

Static

static

1

dridex

windows10-1703-x64

10

Analysis

  • max time kernel
    50s
  • max time network
    63s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    27-03-2023 19:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    64aa9e753e4a2a0d36e4990008463c06540a617d554e812e2e9007991f04071b.exe

  • Size

    696KB

  • MD5

    3d820357aa71dda3a8b9b5f88bcf7c53

  • SHA1

    8349875b68ea959ef7c9e3bb3a2a4fdb5b81e074

  • SHA256

    64aa9e753e4a2a0d36e4990008463c06540a617d554e812e2e9007991f04071b

  • SHA512

    5f42f5fd0bb57b4cb47f6e2a9ae340965dd1062b0997f6da2da324d866c0be85eda91d5394fb071778b2f388b33647a77a2f4c7356ec67d64197e1feafa18506

  • SSDEEP

    12288:vMr7y90lr+NbxmbilQjSwBFTy0jitrBKJs3Cz423Jspl5RorBJHFdwG8yz:AyQAcjPetpu4qGpWHFc4

Score
10/10
redlinefromrosndiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

from

C2

176.113.115.145:4125

Attributes
  • auth_value

    8633e283485822a4a48f0a41d5397566

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 22 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\64aa9e753e4a2a0d36e4990008463c06540a617d554e812e2e9007991f04071b.exe
    "C:\Users\Admin\AppData\Local\Temp\64aa9e753e4a2a0d36e4990008463c06540a617d554e812e2e9007991f04071b.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un396261.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un396261.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:2436
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1651.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1651.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2520
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0345.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0345.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2780
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si591015.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si591015.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4160

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si591015.exe
    Filesize

    175KB

    MD5

    142f567d3c9814d0753fc702f98943ad

    SHA1

    3b97f6126436837e4199f0ea69dc540a2979a9d4

    SHA256

    eae679226db5e0b8d769bba09910a03923ed960d15678a2eadc7fb49e9c77ce3

    SHA512

    ed35e9196c0aad3ad399493cdf90894da44d605635c6b6429e785368db9ab521ae2da727781a66f83c7565f47a840ff8971229b6cbda5a8f734138c1930ca854

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\si591015.exe
    Filesize

    175KB

    MD5

    142f567d3c9814d0753fc702f98943ad

    SHA1

    3b97f6126436837e4199f0ea69dc540a2979a9d4

    SHA256

    eae679226db5e0b8d769bba09910a03923ed960d15678a2eadc7fb49e9c77ce3

    SHA512

    ed35e9196c0aad3ad399493cdf90894da44d605635c6b6429e785368db9ab521ae2da727781a66f83c7565f47a840ff8971229b6cbda5a8f734138c1930ca854

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un396261.exe
    Filesize

    553KB

    MD5

    46ebcdaba18af4c68020621560d65e44

    SHA1

    4c30f34b5ea6941e563e11b70a030741bd822e72

    SHA256

    30440a9803baf77a8234b4a4f97599917dbbd35904795df427d49a28038356a5

    SHA512

    946ae202472684408900f043130f65f5844a998f5675e71ad45b0d5c84a2d52d92d1748e8af741601768f93cd10ebc8e7b2de34593aaf95352991a5c00a96248

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\un396261.exe
    Filesize

    553KB

    MD5

    46ebcdaba18af4c68020621560d65e44

    SHA1

    4c30f34b5ea6941e563e11b70a030741bd822e72

    SHA256

    30440a9803baf77a8234b4a4f97599917dbbd35904795df427d49a28038356a5

    SHA512

    946ae202472684408900f043130f65f5844a998f5675e71ad45b0d5c84a2d52d92d1748e8af741601768f93cd10ebc8e7b2de34593aaf95352991a5c00a96248

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1651.exe
    Filesize

    308KB

    MD5

    aedec8457f1481e8c36c1c86ea51fba5

    SHA1

    2f06d50c61f73ebafb6669aaf104dc85fcd5d61d

    SHA256

    bb55038e9f30096df86cc941fefd96a801d69d4727c98936dac1b70dac52b9f2

    SHA512

    8f9af594f06ae86099a0d2a1782b67a6f9bb85a4269256b9752af891ff1f740b9cbf484aaf86b046248e51208ceaf5b375834c9cb378bc1120916171f0f039ef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\pro1651.exe
    Filesize

    308KB

    MD5

    aedec8457f1481e8c36c1c86ea51fba5

    SHA1

    2f06d50c61f73ebafb6669aaf104dc85fcd5d61d

    SHA256

    bb55038e9f30096df86cc941fefd96a801d69d4727c98936dac1b70dac52b9f2

    SHA512

    8f9af594f06ae86099a0d2a1782b67a6f9bb85a4269256b9752af891ff1f740b9cbf484aaf86b046248e51208ceaf5b375834c9cb378bc1120916171f0f039ef

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0345.exe
    Filesize

    366KB

    MD5

    ca90fdcf9659bc1b9fe0b344a62d7d3c

    SHA1

    3702c35bdcee23de931566095fe1afbb6ccb943a

    SHA256

    76f6af64cacea0bc3ee851e4d05fd63da747e3e7eb7ad4cb916b8cca9bbcf01c

    SHA512

    2d6d572d314ecf12cc97f6f78dc7198cf64afbb0dcf486124975f5c9072daacd2f1745f168064d5335a787fc61b1731e12f9f7826d7ce3852596397a9a1c4ecb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\qu0345.exe
    Filesize

    366KB

    MD5

    ca90fdcf9659bc1b9fe0b344a62d7d3c

    SHA1

    3702c35bdcee23de931566095fe1afbb6ccb943a

    SHA256

    76f6af64cacea0bc3ee851e4d05fd63da747e3e7eb7ad4cb916b8cca9bbcf01c

    SHA512

    2d6d572d314ecf12cc97f6f78dc7198cf64afbb0dcf486124975f5c9072daacd2f1745f168064d5335a787fc61b1731e12f9f7826d7ce3852596397a9a1c4ecb

    Download Submit

  • memory/2520-136-0x00000000001D0000-0x00000000001FD000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2520-137-0x0000000000970000-0x000000000098A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2520-138-0x0000000005000000-0x0000000005010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2520-139-0x0000000005000000-0x0000000005010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2520-140-0x0000000005010000-0x000000000550E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2520-141-0x00000000023A0000-0x00000000023B8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2520-142-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-143-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-145-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-147-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-149-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-151-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-153-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-155-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-157-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-159-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-161-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-163-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-165-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-167-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-169-0x00000000023A0000-0x00000000023B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2520-170-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2520-171-0x0000000005000000-0x0000000005010000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2520-173-0x0000000000400000-0x000000000070F000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/2780-178-0x0000000002280000-0x00000000022C6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/2780-179-0x0000000002580000-0x00000000025C4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2780-180-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-181-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-183-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-185-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-187-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-189-0x0000000000720000-0x000000000076B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2780-190-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-193-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-194-0x00000000021A0000-0x00000000021B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-192-0x00000000021A0000-0x00000000021B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-196-0x00000000021A0000-0x00000000021B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-197-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-199-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-201-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-203-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-205-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-207-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-209-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-211-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-213-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-215-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-217-0x0000000002580000-0x00000000025BF000-memory.dmp

    Filesize

    252KB

    Download

  • memory/2780-1090-0x00000000052D0000-0x00000000058D6000-memory.dmp

    Filesize

    6.0MB

    Download

  • memory/2780-1091-0x00000000058E0000-0x00000000059EA000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/2780-1092-0x0000000005A00000-0x0000000005A12000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2780-1093-0x0000000005A20000-0x0000000005A5E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2780-1094-0x0000000005BB0000-0x0000000005BFB000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2780-1095-0x00000000021A0000-0x00000000021B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-1097-0x00000000021A0000-0x00000000021B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-1098-0x00000000021A0000-0x00000000021B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-1099-0x00000000021A0000-0x00000000021B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-1100-0x0000000005D00000-0x0000000005D92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2780-1101-0x0000000005DA0000-0x0000000005E06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2780-1102-0x00000000064B0000-0x0000000006672000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2780-1103-0x0000000006680000-0x0000000006BAC000-memory.dmp

    Filesize

    5.2MB

    Download

  • memory/2780-1104-0x00000000021A0000-0x00000000021B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2780-1105-0x0000000006F20000-0x0000000006F96000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2780-1106-0x0000000006FB0000-0x0000000007000000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4160-1112-0x0000000000710000-0x0000000000742000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4160-1113-0x0000000002C50000-0x0000000002C9B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/4160-1114-0x0000000005320000-0x0000000005330000-memory.dmp

    Filesize

    64KB

    Download